Title :
A security analysis of the OAuth protocol
Author :
Feng Yang ; Manoharan, Sathiamoorthy
Author_Institution :
Dept. of Comput. Sci., Univ. of Auckland, Auckland, New Zealand
Abstract :
The OAuth 2.0 authorization protocol standardises delegated authorization on the Web. Popular social networks such as Facebook, Google and Twitter implement their APIs based on the OAuth protocol to enhance user experience of social sign-on and social sharing. The intermediary authorization code can be potentially leaked during the transmission, which then may lead to its abuse. This paper uses an attacker model to study the security vulnerabilities of the OAuth 2.0 protocol. The experimental results show that common attacks such as replay attacks, impersonation attacks and forced-login CSRF attacks are capable of compromising the resources protected by the OAuth 2.0 protocol. The paper presents a systematic analysis of the potential root causes of the disclosed vulnerabilities.
Keywords :
authorisation; cryptographic protocols; social networking (online); API; Facebook; Google; OAuth 2.0 authorization protocol; Twitter; Web; delegated authorization; disclosed vulnerabilities; forced-login CSRF attacks; impersonation attacks; replay attacks; security analysis; social networks; systematic analysis; Authentication; Authorization; Facebook; Google; Protocols; Servers; OAuth; Single sign-on; security vulnerabilities;
Conference_Titel :
Communications, Computers and Signal Processing (PACRIM), 2013 IEEE Pacific Rim Conference on
Conference_Location :
Victoria, BC
DOI :
10.1109/PACRIM.2013.6625487
